Debian eth0 到 wlan0 转发,使用 openvpn

Debian eth0 到 wlan0 转发,使用 openvpn

我使用的是“raspian”(树莓派的 Debian),并希望树莓派通过 eth0 使用 wlan0 提供互联网访问。这里的问题是,虽然 wlan0 连接到我的路由器,但我希望它通过 openvpn 网络路由流量。
可能很难理解,所以这里有一个图表:

PC 连接到 Raspberry Pi 的以太网端口 --> [Raspberry Pi 上的 eth0 ->通过使用 wlan0 的 openvpn 隧道] --> 我的路由器 --> openvpn 服务器 --> 互联网

桥梁(?)是通过以下方式完成的:

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -A FORWARD --in-interface eth0 -j ACCEPT
iptables --table nat -A POSTROUTING --out-interface wlan0 -j MASQUERADE

我现在唯一的问题是当我启动 openvpn 服务时,wlan 接口关闭?当然,openvpn 在此之后也会失去连接,因为不再有互联网连接。然后我尝试使用“wpa_cli reconnect”重新启用 wlan 接口,但随后我收到“TLS 错误:本地/远程 TLS 密钥不同步:[AF_INET]$MY_OPENVPN_SERVER_IP:1194 [0]”
(请注意,openvpn 连接是之前建立的,所以我相信这不是时钟问题?)

可能相关的配置文件:
/etc/openvpn/client.conf
client dev tun proto udp

remote $MY_OPENVPN_SERVER_IP
resolv-retry infinite
persist-key
persist-tun

ca ca.crt
cert raspberry.crt
key raspberry.key

comp-lzo
keepalive 10 60
verb 3

/etc/dhcp/dhcpd.conf

# The ddns-updates-style parameter controls whether or not the server will
# attempt to do a DNS update when a lease is confirmed. We default to the
# behavior of the version 2 packages ('none', since DHCP v2 didn't
# have support for DDNS.)
ddns-update-style none;

# option definitions common to all supported networks...
option domain-name "example.org";
option domain-name-servers ns1.example.org, ns2.example.org;

default-lease-time 600;
max-lease-time 7200;

log-facility local7;

subnet 10.42.0.0 netmask 255.255.255.0 {
  range 10.42.0.10 10.42.0.100;
  option domain-name-servers 8.8.8.8;
  option domain-name "internal.raspi.org";
  option routers 10.42.0.2;
  option broadcast-address 10.42.0.255;
  default-lease-time 600;
  max-lease-time 7200;
}

/etc/网络/接口

auto lo

iface lo inet loopback
#iface eth0 inet dhcp

allow-hotplug wlan0
iface wlan0 inet manual
wpa-roam /etc/wpa_supplicant/wpa_supplicant.conf
iface default inet dhcp

auto eth0
iface eth0 inet static
    address 10.42.0.2
    netmask 255.255.255.0
    broadcast 10.42.0.255

openvpn 启用之前的 ifconfig 输出:

eth0      Link encap:Ethernet  HWaddr b8:27:eb:ea:ea:45
          inet addr:10.42.0.2  Bcast:10.42.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:14955 errors:0 dropped:0 overruns:0 frame:0
          TX packets:22413 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:3217763 (3.0 MiB)  TX bytes:28150535 (26.8 MiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:8 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1104 (1.0 KiB)  TX bytes:1104 (1.0 KiB)

wlan0     Link encap:Ethernet  HWaddr b0:48:7a:91:ca:2c
          inet addr:192.168.2.110  Bcast:192.168.2.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:23742 errors:0 dropped:0 overruns:0 frame:0
          TX packets:14611 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:28174574 (26.8 MiB)  TX bytes:3627713 (3.4 MiB)

openvpn 启用后的 ifconfig 输出:

eth0      Link encap:Ethernet  HWaddr b8:27:eb:ea:ea:45
          inet addr:10.42.0.2  Bcast:10.42.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:15144 errors:0 dropped:0 overruns:0 frame:0
          TX packets:22580 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:3234735 (3.0 MiB)  TX bytes:28178133 (26.8 MiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:8 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1104 (1.0 KiB)  TX bytes:1104 (1.0 KiB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.0.22  P-t-P:10.8.0.21  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1356 errors:0 dropped:84 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 B)  TX bytes:894869 (873.8 KiB)

wlan0     Link encap:Ethernet  HWaddr b0:48:7a:91:ca:2c
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:23950 errors:0 dropped:0 overruns:0 frame:0
          TX packets:14759 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:28204123 (26.8 MiB)  TX bytes:3648458 (3.4 MiB)

syslog,启用 openvpn 后不久:

Dec  1 17:21:23 raspberrypi ovpn-client[2301]: OpenVPN 2.2.1 arm-linux-gnueabihf [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Apr 28 2012
Dec  1 17:21:23 raspberrypi ovpn-client[2301]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Dec  1 17:21:23 raspberrypi ovpn-client[2301]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Dec  1 17:21:23 raspberrypi ovpn-client[2301]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Dec  1 17:21:23 raspberrypi ovpn-client[2301]: LZO compression initialized
Dec  1 17:21:23 raspberrypi ovpn-client[2301]: Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Dec  1 17:21:23 raspberrypi ovpn-client[2301]: Socket Buffers: R=[163840->131072] S=[163840->131072]
Dec  1 17:21:23 raspberrypi ovpn-client[2301]: Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Dec  1 17:21:23 raspberrypi ovpn-client[2301]: Local Options hash (VER=V4): '41690919'
Dec  1 17:21:23 raspberrypi ovpn-client[2301]: Expected Remote Options hash (VER=V4): '530fdded'
Dec  1 17:21:23 raspberrypi ovpn-client[2302]: UDPv4 link local (bound): [undef]
Dec  1 17:21:23 raspberrypi ovpn-client[2302]: UDPv4 link remote: [AF_INET]$MY_OPENVPN_SERVER_IP:1194
Dec  1 17:21:23 raspberrypi ovpn-client[2302]: TLS: Initial packet from [AF_INET]$MY_OPENVPN_SERVER_IP:1194, sid=28e45b1e 0782389c
Dec  1 17:21:24 raspberrypi ovpn-client[2302]: VERIFY OK: depth=1, /C=US/ST=SECRET/L=Evilston/O=SecretLair/CN=SecretLair_CA/emailAddress=compendium@starstrider
Dec  1 17:21:24 raspberrypi ovpn-client[2302]: VERIFY OK: depth=0, /C=US/ST=SECRET/L=Evilston/O=SecretLair/CN=server/emailAddress=compendium@starstrider
Dec  1 17:21:26 raspberrypi ovpn-client[2302]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Dec  1 17:21:26 raspberrypi ovpn-client[2302]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Dec  1 17:21:26 raspberrypi ovpn-client[2302]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Dec  1 17:21:26 raspberrypi ovpn-client[2302]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Dec  1 17:21:26 raspberrypi ovpn-client[2302]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Dec  1 17:21:26 raspberrypi ovpn-client[2302]: [server] Peer Connection Initiated with [AF_INET]$MY_OPENVPN_SERVER_IP:1194
Dec  1 17:21:28 raspberrypi ovpn-client[2302]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Dec  1 17:21:28 raspberrypi ovpn-client[2302]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 8.8.8.8,dhcp-option DNS 4.2.2.4,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.22 10.8.0.21'
Dec  1 17:21:28 raspberrypi ovpn-client[2302]: OPTIONS IMPORT: timers and/or timeouts modified
Dec  1 17:21:28 raspberrypi ovpn-client[2302]: OPTIONS IMPORT: --ifconfig/up options modified
Dec  1 17:21:28 raspberrypi ovpn-client[2302]: OPTIONS IMPORT: route options modified
Dec  1 17:21:28 raspberrypi ovpn-client[2302]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Dec  1 17:21:28 raspberrypi ovpn-client[2302]: ROUTE default_gateway=192.168.2.1
Dec  1 17:21:28 raspberrypi ovpn-client[2302]: TUN/TAP device tun0 opened
Dec  1 17:21:28 raspberrypi kernel: [ 1305.253893] tun: Universal TUN/TAP device driver, 1.6
Dec  1 17:21:28 raspberrypi kernel: [ 1305.253924] tun: (C) 1999-2004 Max Krasnyansky <[email protected]>
Dec  1 17:21:28 raspberrypi ovpn-client[2302]: TUN/TAP TX queue length set to 100
Dec  1 17:21:28 raspberrypi ovpn-client[2302]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Dec  1 17:21:28 raspberrypi ovpn-client[2302]: /sbin/ifconfig tun0 10.8.0.22 pointopoint 10.8.0.21 mtu 1500
Dec  1 17:21:28 raspberrypi ovpn-client[2302]: /sbin/route add -net $MY_OPENVPN_SERVER_IP netmask 255.255.255.255 gw 192.168.2.1
Dec  1 17:21:28 raspberrypi ovpn-client[2302]: /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.8.0.21
Dec  1 17:21:28 raspberrypi ovpn-client[2302]: /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.8.0.21
Dec  1 17:21:28 raspberrypi ovpn-client[2302]: /sbin/route add -net 10.8.0.1 netmask 255.255.255.255 gw 10.8.0.21
Dec  1 17:21:28 raspberrypi ovpn-client[2302]: Initialization Sequence Completed
Dec  1 17:21:28 raspberrypi ifplugd(tun0)[2342]: ifplugd 0.28 initializing.
Dec  1 17:21:28 raspberrypi ifplugd(tun0)[2342]: Using interface tun0/00:00:00:00:00:00 with driver <tun> (version: 1.6)
Dec  1 17:21:28 raspberrypi ifplugd(tun0)[2342]: Using detection mode: SIOCETHTOOL
Dec  1 17:21:28 raspberrypi ifplugd(tun0)[2342]: Initialization complete, link beat detected.
Dec  1 17:21:28 raspberrypi ifplugd(tun0)[2342]: Executing '/etc/ifplugd/ifplugd.action tun0 up'.
Dec  1 17:21:29 raspberrypi kernel: [ 1305.603457] wlan0: deauthenticating from 88:25:2c:32:a1:10 by local choice (reason=3)
Dec  1 17:21:29 raspberrypi kernel: [ 1305.694379] cfg80211: Calling CRDA for country: CN
Dec  1 17:21:29 raspberrypi ifplugd(wlan0)[1449]: Link beat lost.
Dec  1 17:21:29 raspberrypi ifplugd(tun0)[2342]: client: OK
Dec  1 17:21:29 raspberrypi wpa_supplicant[1532]: wlan0: CTRL-EVENT-DISCONNECTED bssid=00:00:00:00:00:00 reason=3
Dec  1 17:21:29 raspberrypi ifplugd(tun0)[2342]: client: Ignoring unknown interface tun0=tun0.
Dec  1 17:21:29 raspberrypi wpa_action: WPA_IFACE=wlan0 WPA_ACTION=DISCONNECTED
Dec  1 17:21:29 raspberrypi wpa_action: WPA_ID=0 WPA_ID_STR= WPA_CTRL_DIR=/var/run/wpa_supplicant
Dec  1 17:21:29 raspberrypi wpa_action: ifdown wlan0
Dec  1 17:21:29 raspberrypi ifplugd(tun0)[2342]: Program executed successfully.
Dec  1 17:21:29 raspberrypi dhclient: Internet Systems Consortium DHCP Client 4.2.2
Dec  1 17:21:29 raspberrypi dhclient: Copyright 2004-2011 Internet Systems Consortium.
Dec  1 17:21:29 raspberrypi dhclient: All rights reserved.
Dec  1 17:21:29 raspberrypi dhclient: For info, please visit https://www.isc.org/software/dhcp/
Dec  1 17:21:29 raspberrypi dhclient:
Dec  1 17:21:29 raspberrypi dhclient: Listening on LPF/wlan0/b0:48:7a:91:ca:2c
Dec  1 17:21:29 raspberrypi dhclient: Sending on   LPF/wlan0/b0:48:7a:91:ca:2c
Dec  1 17:21:29 raspberrypi dhclient: Sending on   Socket/fallback
Dec  1 17:21:29 raspberrypi dhclient: DHCPRELEASE on wlan0 to 192.168.2.1 port 67
Dec  1 17:21:29 raspberrypi wpa_action: removing sendsigs omission pidfile: /run/sendsigs.omit.d/wpasupplicant.wpa_supplicant.wlan0.pid
Dec  1 17:21:31 raspberrypi ntpd[1924]: Listen normally on 4 tun0 10.8.0.22 UDP 123
Dec  1 17:21:31 raspberrypi ntpd[1924]: Deleting interface #3 wlan0, 192.168.2.110#123, interface stats: received=54, sent=54, dropped=0, active_time=1279 secs
Dec  1 17:21:31 raspberrypi ntpd[1924]: 178.63.212.146 interface 192.168.2.110 -> (none)
Dec  1 17:21:31 raspberrypi ntpd[1924]: 85.214.240.100 interface 192.168.2.110 -> (none)
Dec  1 17:21:31 raspberrypi ntpd[1924]: 195.71.86.233 interface 10.42.0.2 -> 10.8.0.22
Dec  1 17:21:31 raspberrypi ntpd[1924]: 212.85.158.10 interface 10.42.0.2 -> 10.8.0.22
Dec  1 17:21:31 raspberrypi ntpd[1924]: peers refreshed
Dec  1 17:21:39 raspberrypi ifplugd(wlan0)[1449]: Executing '/etc/ifplugd/ifplugd.action wlan0 down'.
Dec  1 17:21:39 raspberrypi ifplugd(wlan0)[1449]: client: /sbin/ifdown: interface wlan0 not configured
Dec  1 17:21:39 raspberrypi ifplugd(wlan0)[1449]: Program executed successfully.

答案1

我在 Raspberry Pi 上通过 WiFi 设置 OpenVPN 时也遇到了同样的问题。结果发现,这个缺陷是wpa 漫游

/etc/network/interfaces 中的 wlan0 部分必须更改为:

allow-hotplug wlan0
iface wlan0 inet dhcp
wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf

重要的是更换wpa 漫游经过wpa 配置文件

背景

在我的 /var/log/daemon.log 中启用 openvpn 后我发现以下条目:

Jan 13 22:40:19 raspberrypi ifplugd(tun0)[28971]: Executing '/etc/ifplugd/ifplugd.action tun0 up'.

随后

Jan 13 22:40:19 raspberrypi wpa_supplicant[3177]: wlan0: CTRL-EVENT-DISCONNECTED bssid=00:00:00:00:00:00 reason=0
...
Jan 13 22:40:20 raspberrypi ifplugd(wlan0)[3108]: Link beat lost.
...
Jan 13 22:40:30 raspberrypi ifplugd(wlan0)[3108]: Executing '/etc/ifplugd/ifplugd.action wlan0 down'.
Jan 13 22:40:30 raspberrypi ifplugd(wlan0)[3108]: client: /sbin/ifdown: interface wlan0 not configured
Jan 13 22:40:30 raspberrypi ifplugd(wlan0)[3108]: Program executed successfully.

因此,这肯定与新网络设备的创建有某种关联。
分析/etc/ifplugd/ifplugd.action tun0 启动返回, /etc/ifplugd/action.d/action_wpa被执行。

/etc/ifplugd/action.d/action_wpa

#!/bin/sh

# Action script to enable/disable wpa-roam interfaces in reaction to
# ifplugd events.
#
# Copyright: Copyright (c) 2008-2010, Kel Modderman <[email protected]>
# License:   GPL-2
#

PATH=/sbin:/usr/sbin:/bin:/usr/bin

if [ ! -x /sbin/wpa_action ]; then
    exit 0
fi

# ifplugd(8) - <iface> <action>
#
# If an ifplugd managed interface is brought up, disconnect any
# wpa-roam managed interfaces so that only one "roaming" interface
# remains active on the system.

IFPLUGD_IFACE="${1}"

case "${2}" in
    up)
        COMMAND=disconnect
        ;;
    down)
        COMMAND=reconnect
        ;;
    *)
        echo "$0: unknown arguments: ${@}" >&2
        exit 1
        ;;
esac

for CTRL in /var/run/wpa_supplicant/*; do
    [ -S "${CTRL}" ] || continue

    IFACE="${CTRL#/var/run/wpa_supplicant/}"

    # skip if ifplugd is managing this interface
    if [ "${IFPLUGD_IFACE}" = "${IFACE}" ]; then
        continue
    fi

    if wpa_action "${IFACE}" check; then
        wpa_cli -i "${IFACE}" "${COMMAND}"
    fi
done

因此,为了节省漫游费用如果有其他网络设备可用,则所有漫游设备均被停用。该网络设备可能是真实设备,也可能是虚拟设备。

我只能通过 wifi 上的 ssh 访问 pi。远程杀死它,不得不等到回家后难的重启 ;-)

可能的其他方式

另一种方法是,在 /etc/network/interfaces 中配置 tun0 设备,使其不调用 /etc/ifplugd/action.d/action_wpa。这样漫游仍可工作。

相关内容